[Snyk] Fix for 14 vulnerable dependencies

ChristianMurphy commented 6 years ago

Description

This PR fixes one or more vulnerable packages in the maven dependencies of this project. See the Snyk test report for more details.

Snyk Project: christianmurphy/uportal-home:web/pom.xml

Snyk Organization: ChristianMurphy

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- pom.xml

Vulnerabilities that will be fixed

With an upgrade:

pom.xml
- ch.qos.logback:logback-classic@1.0.12 > ch.qos.logback:logback-classic@1.2.0
  - Arbitrary Code Execution
  - Arbitrary Code Execution
- edu.wisc.my.restproxy:rest-proxy-core@3.1.0 > edu.wisc.my.restproxy:rest-proxy-core@3.2.0
- org.springframework:spring-core@4.1.5.RELEASE > org.springframework:spring-core@4.1.7.RELEASE
  - Denial of Service (DoS)
- org.springframework:spring-web@4.1.5.RELEASE > org.springframework:spring-web@4.1.8.RELEASE
- org.springframework:spring-webmvc@4.1.5.RELEASE > org.springframework:spring-webmvc@4.3.15.RELEASE

You can read more about Snyk's upgrade and patch logic in Snyk's documentation.

Check the changes in this PR to ensure they won't cause issues with your project.

Stay secure, The Snyk team

ChristianMurphy commented 6 years ago

Forwarded from https://github.com/ChristianMurphy/uportal-home/pull/1

apetro commented 6 years ago

I'm not entirely sure how to evaluate this Pull Request. If I pull down the branch and smoke test it locally, should we figure that's probably good enough, merge it, and see what happens?

ChristianMurphy commented 6 years ago

Basically, for uPortal core, we've checked:

that the code compiles
that the portal can start
that the module where the library is used can start

Breaking changes need most of the testing.

Here the riskiest change is the SemVer minor spring upgrade. If the software starts, the lion's share of risk has been mitigated.

uPortal-Attic / uportal-home